developments in authenticated encryption...developments in authenticated encryption dr....
TRANSCRIPT
Developments in Authenticated Encryption
Dr. Markku-Juhani O. [email protected]
Norwegian University of Science and Technology
Finse Winter School, 05 May 2014
1 / 59
1. Layman’s Introduction to AuthenticatedEncryption
2 / 59
Authenticated EncryptionAn Authenticated Encryption (AE) primitive provides both:
▶ Authentication or message integrity protection, and▶ Encryption or confidentiality / privacy protection.
Preferably in a single processing step, allowing parallelism.Security protocols such as IPSec and SSL/TLS usually requiredtwo processing steps for each packet in 1990’s and 200x’s.
▶ Authentication was handled with HMAC (Hash MessageAuthentication Code), which builds a MAC from a hash H:
SQ HMAC(K,m) = H(K⊕ opad | H(K⊕ ipad | m)).▶ Encryption was provided either with block cipher such as
3DES-CBC or AES-CBC or a stream cipher such as RC4.Hardware implementation of such a twin set-up is cumbersome.This is still the standard mechanism in TLS 1.3, although transitionto authenticated encryption has been swift during last few years.
3 / 59
Encrypt-then-MAC vs. MAC-then-Encrypt (1)
M. Bellare and C. Nampremprey: “Authenticated Encryption:Relations among notions and analysis of the generic compositionparadigm” ASIACRYPT 2000.This paper was quite influential about 10+ years ago, but theresults have been overstated and often misinterpreted.It claimed that Encrypt-and-MAC (i.e. any modern AuthenticatedEncryption algorithm) “does not preserve privacy”
.. because the MAC could reveal information about theplaintext.
Solution: Just use any (randomized) MAC that does not revealsuch information.
4 / 59
Encrypt-then-MAC vs. MAC-then-Encrypt (2)
M. Bellare and C. Nampremprey:E & M also fails to provide integrity of ciphertexts. Thisis because there are secure encryption schemes with theproperty that a ciphertext can be modified withoutchanging its decryption.
Solution: Show that your encryption scheme does not have thatproperty. For example all stream ciphers are bijective and do nothave that property; Integrity of ciphertext exists for those.One can reasonably argue that the models (for “secure encryptionschemes” and “secure MACs”) that Bellare & Co. chose to usewere broken, not Encrypt-and-MAC itself.
5 / 59
Authenticated Encryption with Associated DataAn Authenticated Encryption with Associated Data (AEAD)primitive additionally allows associated (plaintext) data to beauthenticated (integrity protection only).Inputs:
▶ Secret Key for both confidentiality and integrity.▶ Initialization Vector (IV) which is typically a nonce.▶ Associated Data which is not encrypted, only authenticated.▶ Plaintext which is encrypted for confidentiality protection,
and also authenticated.
Outputs:▶ Ciphertext, which corresponds to the plaintext above.▶ Authentication Code, against modification of Ciphertext or
Associated Data.(Ciphertext and MAC may be intermixed.)
6 / 59
Role of Associated Data (1)
Authenticated Associated Data (AAD) typically consists ofinformation such as:
▶ Session identifier or Security Association▶ Source and destination address of message▶ Sequence number and other information stream reassembly
This information must be transmitted in clear for correct delivery,but its content must still be integrity protected with anauthentication key for security.Associated Data is typically managed by the secure transportprotocol or layer, and is transmitted in clear.
7 / 59
Role of Associated Data (2)
Message Payloadconfidentiality and integrity
Associated Dataintegrity protection only
From Alice’s ApplicationManaged by a Transport Protocol such as TLS, IPSec, SSH, ZRTP etc
AEAD
transmitted in clearAuthenticated Ciphertext
tagencrypted payload
AEAD−1
Nonceusually unique for message
Secret Keyfor auth and encrypt
optionally transmitted not transmitted, shared
Message Payloadconfidentiality and integrity
FAILor
To Bob’s Application
8 / 59
2010s: With AES-GCM AE is now mainstream
Your gmail, facebook, and VPN probably uses AES-GCM.GCM: Galois / Counter Mode, FIPS SP 800-38D (2007) is an
AEAD mode for AES.9 / 59
AES-GCM Only Approved “Suite B” Algorithm
AES-GCM is currently the only approved algorithm in NSA’sunclassified “Suite B”, making it basically the only choice forGovernmental and NATO COTS information processing.Currently certified up to TOP SECRET with 256-bit keys.
10 / 59
Historical Timeline▶ Authenticated encryption schemes go back some 30+ years
(ANSI X9.9 CBC-MAC, 1981).▶ First “provably secure” AEAD mode in year 2000 (IACBC).▶ The 2004 total break of MD5 by Xiaoyun Wang & Co.
resulted in near-panic with regard to SHA security, which inturn led to the SHA-3 competition (2007-2012).
▶ Apparently fear for HMAC-SHA security caused NSA to adoptAES-GCM in Suite B (2005) and to issue IETF RFCs forAES-GCM use in SSH, TLS, and IPSec.
▶ This is of course really quite silly as we know that evenHMAC-MD5 is more secure than AES-GCM (later).
▶ Some fear the the push by NSA to put AES-GCM everywhereis driven by some nefarious motives (I don’t think so).
▶ AES-GCM was applauded by the industry (e.g. CISCO) sinceAES-GCM is significantly easier/cheaper to implement forhigh-speed links in hardware. Intel adopted hardwareassistance in its processors in the form of AES NIS.
11 / 59
-H01-C4F17DD8C39908FF932A02B34422C845
-H02-D42130FD3AAC5E190C72CC9CC92192D1
01
-H03-4636BDBD1C7643D34EE4BB1BF9CA084F
01
-H04-44F17DD8C39908FF932A02B34422C845
01
-H06-92178D4026DA1DCA4296778730EB9A9E
03
-H09-82C7C065DFEF4B2CDDCEB9A8BDE8C00A
06
-H12-D6E6F098E5431535D1BC753474C952DB
09
-H00-80000000000000000000000000000000
12
-H05-10D04D25F93556E69F58CE2F8D035A94 01
01
-H10-90D04D25F93556E69F58CE2F8D035A94
05
1012
-H07-02C7C065DFEF4B2CDDCEB9A8BDE8C00A
01
0306
09
-H08-542130FD3AAC5E190C72CC9CC92192D1
01
0109
12
01 03
0610
-H11-56E6F098E5431535D1BC753474C952DB01
05
01
0609
12-H13-
12178D4026DA1DCA4296778730EB9A9E
01
03
-H14-C636BDBD1C7643D34EE4BB1BF9CA084F
01
01
0103
05
06
09
10
12
00
112 “Cycling Attacks on GCM, GHASH and
Other Polynomial MACs and Hashes”FSE 2012, Washington D.C. 20 March 2012
12 / 59
2. 21st Century crypto:Sponges, KECCAK, and CAESAR
13 / 59
SHA-3 Algorithm KECCAK: A Sponge-Based Hash
KECCAK and “SpongeFunctions” were invented by:
Guido Bertoni (STMicro)Joan Daemen (STMicro)Michaël Peeters (NXP)
Giles Van Assche (STMicro)
▶ 11 Feb 2007 NIST Call for Proposals▶ 31 Oct 2008 SHA3 Submissions (64)▶ 10 Dec 2008 First Round (54)▶ 24 Jul 2009 Second Round (14)▶ 09 Dec 2010 SHA3 Finalists (5)▶ 12 Aug 2011 KECCAK Team in
SAC ’11: “Duplexing the sponge..”▶ 02 Oct 2012 KECCAK Chosen▶ 04 Apr 2014 NIST publishes
“DRAFT FIPS 202, SHA-3 Standard:Permutation-Based Hash andExtendable-Output Functions”
≈ 2015 KECCAK will be officiallySecure Hash Algorithm 3.
14 / 59
SHA-3 Algorithm KECCAK: An U.S. Standard
▶ So.. an European Sponge will become the new U.S. Civilian,Federal Government and Military cryptographic hash standardfor digital signatures and other uses.
▶ And it might also become the standard for AuthenticatedEncryption !
15 / 59
The Sponge Construction for Hashing
▶ More general than traditional hash function: arbitrary-lengthoutput
▶ Built from a b-bit permutation f (π commonly used), withb = r + c
▶ r bits of rate, related to hashing speed▶ c bits of capacity, related to security
16 / 59
Generic Security as a Hash (from Keccak team)
▶ N is the number of finvocations
▶ r is the rate in bits▶ c is the capacity in bits
RO-differentiating adv. ≤ N2/2c+1
▶ Proven by Keccak team,Eurocrypt 2008
▶ As strong as random oracleagainst attacks with N < 2c/2
Bound assumes f to be a randompermutation
▶ Covers generic attacks againstthe mode
▶ .. but not attacks that exploitspecific properties of f
17 / 59
Regular Hashing and Salted Hashing
Unkeyed Hash Mode (SHA-3)▶ Electronic signatures
(PKCS #1 RSA, ECDSA)▶ Data integrity (sha1sum etc)▶ Data id (git, anti-virus, P2P)
Salted Mode▶ Randomized hashing
(RSASSA-PSS, Salt = IV)▶ Password storage (/etc/shadow)▶ Message Authentication Codes
(Salt = KEY)▶ Different security parameters
18 / 59
Other Provable Uses for Sponge Permutations
0 f f
Key
…
Padded message
f ff
MAC
0 f f
Key IV
f
Key stream
0 f f
Key
…
Padded messageIV
f
Key stream
ff
MAC
MAC Mode: Provably secure.
Stream Cipher Mode: Provablysecure.
Authenticated Encryption isencryption + MAC. We’ll come backto this later.
19 / 59
DuplexWrap (basic Sponge AE Scheme) BoundsTheoremThe DuplexWrap and BLNK authenticated encryption modessatisfy the following privacy and authentication security bounds:
Advprivsbob(A) < (M + N)2−k +
M2 + 4MN2c+1
Advauthsbob(A) < (M + N)2−k +
M2 + 4MN2c+1
against any single adversary A if K $← {0, 1}k, tags of l ≥ t bits areused, and π is a randomly chosen permutation.M is the data complexity (total number of blocks queried fromkeyed sponge instance) and N is the time complexity (total numberequivalents of π or its inverse execution time).
Proof.Theorem 4 of [KeyakV1]. See also [AnMePr10,BeDaPeAs11].
20 / 59
CAESAR 2014-2017
NIST-Funded Competition for AuthenticatedEncryption: Security, Applicability, and Robustness.http://competitions.cr.yp.to/caesar.html
▶ 15 Jan 2013 Announced by Dan Bernstein▶ 15 Mar 2014 First round submissions (57)▶ 15 May 2014 First-round software▶ 23-24 Aug 2014 DIAC ’14, UCSB▶ 15 Jan 2015 Second round candidates▶ 15 Feb 2015 Second round tweaks (fixes)▶ 15 Dec 2015 Third round candidates▶ 15 Dec 2016 Final round candidates▶ 15 Dec 2017 Portfolio announcement
21 / 59
CAESAR Situation May 1, 2014See https://aezoo.compute.dtu.dk for updates.Round 1 CandidatesACORN ++AE AEGIS AES-CMCC AES-COBRA AES-COPAAES-CPFB AES-JAMBU AES-OTR AEZ Artemia AsconAVALANCHE Calico CBA CBEAM CLOC Deoxys ELmD EnchiladaFASER HKC HS1-SIV ICEPOLE iFeed[AES] Joltik Julius KetjeKeyak KIASU LAC Marble McMambo Minalpher MORUS NORXOCB OMD PAEQ PAES PANDA π-Cipher POET POLAWISPRIMATEs Prøst Raviyoyla Sablier SCREAM SHELL SILC SilverSTRIBOB Tiaoxin TriviA-ck Wheesht YAES
▶ Based on AES or other Block Cipher▶ Based on KECCAK (submissions from KECCAK team)▶ Withdrawn from Competition by Authors▶ Pretty much broken by someone▶ Less fatal vulnerabilities reported
22 / 59
On CAESAR CryptanalysisI had two “one-man band” candidates:
▶ CBEAM, a super-lightweight Spongebased on BLNK and novel ideas likerotation-invariant ϕ functions.
▶ STRIBOB, a high-security Spongebased on BLNK an the LPS transformof GOST R 34.11-2012 LPS“Streebog” Permutation.
On April 3, 2014, Brice Minaud of ANSSIreported a relatively simple differentialattack on CBEAM that breaksauthentication with 2−43 probability. I stillcan’t believe that I missed this attack –CBEAM was already published in CT-RSA’14 (LNCS 8366). CBEAM.
23 / 59
On CAESAR CryptanalysisI had two “one-man band” candidates:
▶ CBEAM, a super-lightweight Spongebased on BLNK and novel ideas likerotation-invariant ϕ functions.
▶ STRIBOB, a high-security Spongebased on BLNK an the LPS transformof GOST R 34.11-2012 LPS“Streebog” Permutation.
On April 3, 2014, Brice Minaud of ANSSIreported a relatively simple differentialattack on CBEAM that breaksauthentication with 2−43 probability. I stillcan’t believe that I missed this attack –CBEAM was already published in CT-RSA’14 (LNCS 8366). CBEAM.
24 / 59
Agence nationale de la sécurité des systèmes d’information, France.They participate in public efforts like CAESAR and inform us
about bugs. Don’t expect that from NSA GCHQ FSB ..
25 / 59
3. “STRIBOB: Authenticated Encryption fromGOST R 34.11-2012 LPS Permutation”
CTCrypt 2014, 05-06 June 2014, Moscow, RUSSIA26 / 59
GOST R 34.11-2012Russian Standards (GOST)
▶ 28149-89 Block Cipher (KGB, 1970s)▶ R 34.11-94 was a hash based on
28149-89, used for R 34.10-94Signatures.
▶ Cryptanalysis by F Mendel et al(2008): 2105 collision, 2192 preimage.
▶ ”Streebog” proposed in 2009.▶ Since January 1, 2013, the Russian
Federation has mandated the use ofGOST R 34.11-2012 hash algorithm inGOST R 34.10-2012 digital signatures.
▶ Good security margin.▶ STRIBOB builds a Sponge AEAD
from Streebog!27 / 59
GOST R 34.11-2012 ”Streebog”The 2012 standard has superficial similarities to the 1994 standardbut also features clearly AES-inspired design elements. Intendedfor Digital Signatures (R 34.10-2012), but also used with HMAC.A (non-keyed) cryptographic hash function that produces a 256-bitor 512-bit message digest for a bit string of arbitrary length.Standard security requirements:
▶ Collision resistance:Finding m1 and m2, h(m1) = h(m2) should require 2
n2 effort.
▶ Pre-image resistance:Finding m for given h in h = H(m) should require 2n effort.
▶ Second pre-image resistance:Finding m2 for given m1 with h(m1) = h(m2) should require2n
|m2| effort.
Not a Sponge, but a Miyaguchi–Preneel - inspired construction:hi = Eg(Hi−1)(mi)⊕ hi−1 ⊕mi.
28 / 59
Computing h(M) with Compression Function gN(h,m)
g0 g512 g1024 g512n
m0 m1 m2 padmn
g0
|M |
g0
total length “checksum”
h(M)
· · ·
∑ni=0mi (mod 2512)
h = 0
ε = 0
M =
Padded message M is processed in 512-bit blocksM = m0 | m1 | · · · | mn by a compression function h′ = gN(h,mi).For 256-bit hashes, the initial h value is changed to 0x010101..01and the output h(M) is truncated to 256 bits.Chaining variable h has 512 bits. N is the bit offset of the block.There are finalization steps involving two invocations of g, first onthe total bit length of M, and then on checksum ϵ, which iscomputed over all input blocks mod 2512.
29 / 59
Streebog: The Compression Function gN(h,m)
LPS LPS
LPS
LPS
LPS
LPS
LPS
LPS
LPS
h
m
h′
C3
N
C2C1 C12
4, 5, · · · , 11
h′ = gN(h,m)
K12K3K2K1
N: bit offset h: chaining value m: 512-bit message block
The compression function is built form a 512× 512 - bit keylesspermutation LPS and XOR operations. All data paths are 512 bits.The 12 random round constants Ci are given in the standard spec.One can see the upper “line” (kinda) keying the lower line via Ki.
30 / 59
Streebog: LPS = L ◦ P ◦ S = L(P(S(x)))
S S S S S S S S
S S S S S S S S
S S S S S S S S
S S
S S
S S S S S S S S
S S S S S S S S
S S S S S S S S
( byte transpose )
0 8 16 24 32 40 48 56
1
2
3
4
5
6
7
9 17 25 33 41 49 57
10 18
13
14
15
26 58
59
60
61
62
63
34 42 50
55473931
22
21
30
29
38
37
46
45
54
53
23
( 64× 64-bit matrix )
L
L
L
L
L
L
( 8× 8-bit S-Box )
L ◦ P ◦ S
S P L
S : (“Substitution”) An 8× 8 - bit S-Box applied to each one of64 bytes (8× 64 = 512 bits).
P : (“Permutation”) Transpose of 8× 8 - byte matrix.L : (“Linear”) Mixing of rows with a 64× 64 binary matrix.
31 / 59
Streebog LPS: 1. Substitution step SWe write the state as zero-indexed matrix m[0 . . . 7][0 . . . 7],serialized as
v[ i ] = m[ ⌊i/8⌋ ][ i mod 8 ] for i = 0, 1, · · · , 63.
Streebog has a single 8-bit S-box S, as in AES.In this step, the 8× 8 - bit S-Box is applied to each byte (octet):
m′[ i ][ j ] = S(m[ i ][ j ]) for 0 ≤ i, j ≤ 7.
S has apparently been designed to resist classical cryptanalysis:▶ Differential bound: P = 8
256
▶ Best linear approximation: P = 28128
▶ All output bits have Deg 7Unknown design methodology; apparently not a simple equationlike the AES S-Box.
32 / 59
Streebog LPS: 2. Permutation step PA permutation of bytes in the state, equivalent of transposing the8× 8 byte matrix.Transposition is a reflection along the main diagonal, which canalso be seen as writing rows as columns:
m′[ i ][ j ] = m[ j ][ i ] for 0 ≤ i, j ≤ 7.
00 01 02 03 04 05 06 0708 09 0A 0B 0C 0D 0E 0F10 11 12 13 14 15 16 1718 19 1A 1B 1C 1D 1E 1F20 21 22 23 24 25 26 2728 29 2A 2B 2C 2D 2E 2F30 31 32 33 34 35 36 3738 39 3A 3B 3C 3D 3E 3F
T
=
00 08 10 18 20 28 30 3801 09 11 19 21 29 31 3902 0A 12 1A 22 2A 32 3A03 0B 13 1B 23 2B 33 3B04 0C 14 1C 24 2C 34 3C05 0D 15 1D 25 2D 35 3D06 0E 16 1E 26 2E 36 3E07 0F 17 1F 27 2F 37 3F
33 / 59
Streebog LPS: 3. Linear step LL is specified in the form of a 64× 64 - bit matrix in the GOSTstandard text but it is in fact built from a MDS matrixmultiplication in the finite field F28 with irreducible polynomialp(x) = x8 + x6 + x5 + x4 + 1 in “bit reverse” representation.
m′ = m · L or m′[ i ][ j ] =7⊕
k=0
m[ i ][ k ] ∗ L[ k ][ j ],
L =
8E 20 FA A7 2B A0 B4 70A0 11 D3 80 81 8E 8F 4090 DA B5 2A 38 7A E7 6F9D 4D F0 5D 5F 66 14 5186 27 5D F0 9C E8 AA A845 6C 34 88 7A 38 05 B9E4 FA 20 54 A8 0B 32 9C70 A6 A5 6E 24 40 59 8E
34 / 59
Structural Relationship to AES (“Square design”)
S S S S S S S S
S S S S S S S S
S S S S S S S S
S S
S S
S S S S S S S S
S S S S S S S S
S S S S S S S S
( byte transpose )
0 8 16 24 32 40 48 56
1
2
3
4
5
6
7
9 17 25 33 41 49 57
10 18
13
14
15
26 58
59
60
61
62
63
34 42 50
55473931
22
21
30
29
38
37
46
45
54
53
23
( 64× 64-bit matrix )
L
L
L
L
L
L
( 8× 8-bit S-Box )
L ◦ P ◦ S
S P L
S ≈ AES SubBytes. Larger state: 64 rather than 16 bytes.P ≈ AES ShiftRows. Each byte will be mixed with every other
byte in 2 rounds.L ≈ AES MixColumns. Rows are mixed with a MDS matrix.
The constant addition corresponds to AddRoundKey.
35 / 59
Streebog: Sponge Permutation π
For some vector of twelve 512-bit subkeys Ci we define a 512-bitpermutation πC(X1) = X13 with iteration
xi+1 = LPS(Xi ⊕ Ci) for 1 ≤ i ≤ 12.
We adopt 12 rounds of LPS as the Sponge permutation withparameters:
b Permutation size b = r + c = 512, the LPS permutation size.r Rate r = 256 bits.c Capacity c = 256 bits.
As π satisfies the indistinguishability criteria, we may choose:k Key size k = 192 bits.t Authentication tag (MAC) size t = 128 bits.k Nonce (IV) size t = 128 bits.
36 / 59
Easy Security ReductionTheoremIf πC(x) can be effectively distinguished from a randompermutation for an arbitrary set of constants Ci, so can gN(h, x) forany h and N.
Proof.If h is known, so are all of the subkeys Ki as those are a function ofh alone. We have the equivalence
gN(h, x)⊕ x⊕ h = πK(x⊕ N).
Assuming that the round constants Ci offer no advantage overknown round keys Ki, πC is as secure as πK and any distinguishershould have the same complexity.
We see that a generic powerful attack against π is also an attackon g. A distinguishing attack against g does not imply a collisionattack against Streebog as a whole.
37 / 59
Security Reduction Explained
Just replace C with K in π:
LPS
K1
LPS
K2
LPS LPS
K3 K12
x′x
x′ = πK(x)
We have gN(h, x)⊕ x⊕ h = πK(x⊕ N):
LPS LPS
LPS
LPS
LPS
LPS
LPS
LPS
LPS
h
m
h′
C3
N
C2C1 C12
4, 5, · · · , 11
h′ = gN(h,m)
K12K3K2K1
38 / 59
StriBob PerformanceStriBob requires 12 LPS invocations per 256 bits processed whereasStreebog requires 25 LPS invocations per 512 bits, making StriBobfaster. Also the runtime memory requirement is cut down to 25 %.Implementation optimization uses similar techniques as that ofAES. However 64-bit rows are better suited for modern 64-bitarchitectures (AES is from the 90s, 32-bit era).
Algorithm ThroughputAES - 128 / 192 / 256 109.2 / 90.9 / 77.9 MB/sSHA - 256 / 512 212.7 / 328.3 MB/sGOST 28147-89 53.3 MB/sGOST R 34.11-1994 20.8 MB/sGOST R 34.11-2012 109.4 MB/sStriBob 115.7 MB/s
..as measured on my few years old Core i7 @ 2.80. My StriBobimplementation, StriBob optimized reference implementation. Therest are OpenSSL (w/o AES NIS).
39 / 59
312 “Beyond Modes: Building a Secure Record
Protocol from a Cryptographic SpongePermutation”
Modified from a paper originally presented at:Cryptographers’ Track, RSA Conference ’14
San Francisco CA, February 26, 201440 / 59
Background: Complex, Insecure Legacy ProtocolsAll of the (de facto) standard network security protocols – SSL3,SSH2, TLS, IPSEC, PPTP, and wireless WPA2 (and itspredecessors) – consist of two essentially independent protocols:
1. The handshake / authentication protocol which authenticatesone or two parties and establishes a master shared secret K.
2. The transport / record protocol which provides security forapplication data streams based on K.
In addition to the plaintext P, data items required by recordprotocols to perform authenticated encryption at each direction:Ke Key for the symmetric encryption algorithm.Ka Key for the message authentication algorithm.S Incremental message sequence number.
IV Initialization vector for ciphers.That is 2× 4 = 8 separate cryptovariables and at least twodifferent algorithms (HMAC and block cipher) in addition to PRFs.
41 / 59
Two-party Synchronization
Legacy protocols use two independent channels: one from Alice toBob (A→ B) and another from Bob to Alice (B→ A).Example. Consider the following three transcripts:
T1 : B→ A : M2, A→ B : M1, A→ B : M3
T2 : A→ B : M1, B→ A : M2, A→ B : M3
T3 : A→ B : M1, A→ B : M3, B→ A : M2
These three exchanges have precisely the same valid representationon the two channels when sent over IPSEC, TLS, SSL, or SSHprotocols. The same authentication codes will match, etc.
42 / 59
The Synchronization Problem of Two-ChannelProtocols.
Despite individual message authentication, the interwoven order ofthe sequence of back-and-forth messages cannot be unambiguouslydetermined and authenticated with legacy protocols.This is why transaction records are often authenticated on theapplication level as well, adding an another layer of complexity.Issue also affects basic end-user interactive security as portions ofserver messaging can be maliciously delayed, encouraging the userto react to partial information.Legal perspective on unambiguous session transcripts:Steven J. Murdoch and Ross Anderson: “Security Protocols andEvidence: Where Many Payment Systems Fail.” FinancialCryptography and Data Security 2014, 3 – 7 March 2014,Barbados.
43 / 59
Motivation for BLNKLegacy protocols are unsuited for ultra-lightweight applications.Academic research has focused on lightweight primitives, andsuitable lightweight, general purpose communications protocolshave not been proposed.We need a generic short-distance lightweight link layer securityprovider that can function independently from upper layerapplication functions.
▶ Design with mathematical and legal provability in mind.▶ Aim at simplicity and small footprint: use a single sponge
permutation for key derivation, confidentiality, integrity, etc.In traditional protocols these are all different functions.
▶ Use a single state variable in both directions, instead of 8+cryptovariables. Allow forward security via forgetting.
▶ Ideally this protocol would be realizable with semi-autonomousintegrated hardware, without much CPU or MCU involvement.
44 / 59
Recap: Sponge-based Authenticated Encryption
π π π π π π π
r
c
IV
d0 d··· p1 c1 p··· c··· h0 h···p0 c0
squeezing phaseencryption phaseabsorbtion phase
1. Absorption. Key, nonce, and associated data (di) are mixed.2. Encryption. Plaintext pi is used to produce ciphertext ci.3. Squeezing. Authentication Tag hi is squeezed from the state.4. Why not use that final state as IV for reply and go straight to
Step 2 ? (feature called “sessions” in Ketje and Keyak)
45 / 59
SimplificationLegacy protocol encryption of P to C with 4 cryptovariables:
C = fcs(P,S, IV,Ke,Ka).
Decryption can fail in authentication (auth tag is in C):
f−1cs (C,S, IV,Ke,Ka) = P or FAIL.
In sponges we have a state Si, plaintext Pi, and some padding infothat produces a new state and ciphertext (including a MAC):
(Si+1,Ci) = enc( Si,Pi, pad ).
The decoding function dec() produces the same Si+1 and Pi fromthe ciphertext and equivalent Si and padding, synchronizing thestate between sender and receiver:
(Si+1,Pi) = dec( Si,Ci, pad ) or FAIL.
46 / 59
Security Goals
Designers should have provable bounds on these three goals:
priv The ciphertext result C of enc(S,P, pad) must be indis-tinguishable from random when S is random and P maybe chosen by the attacker.
auth The probability of an adversary of choosing a message Cthat does not result in a FAIL in dec(S,C, pad) withoutknowledge of S is bound by a function of the authenti-cation tag size t and number of trials.
sync Each party can verify that all previous messages of thesession have been correctly received and the absolute or-der in which messages were sent.
First two are standard Authentication Encryption requirements, thelast one is new.
47 / 59
Solution: Just continue to use the state in reply!
Initial state: S0 Initial state: S0
A B
enc(S0,M1) = (S1, C1)
dec(S0, C1) = (S1,M1)
enc(S1,M2) = (S2, C2)
A → B : C1
dec(S1, C2) = (S2,M2)
enc(S2,M3) = (S3, C3)
B → A : C2
A → B : C3
dec(S2, C3) = (S3,M3)
Final state: S3 Final state: S3
Simplified interchange of three messages whose plaintextequivalents are A→ B : M1, B→ A : M2, A→ B : M3, utilizing asynchronized secret state variables Si.The order of messages cannot be modified and hence thisexchange is sync-secure !
48 / 59
So .. it’s Half-Duplex ?Half-duplex links may not seem ubiquitous to developers due tothe use of the socket programming paradigm. Full-duplex illusion isoften achieved by time-division duplexing.
▶ Half-duplex is physically prevalent on sensor networks, IoTand last-hop radio links: Bluetooth and IEEE 802.15.4 ZigBeeare half-duplex.
▶ In addition to wireless last-hop transports, most RFID, smartcard [ISO 7816-4, ISO 18000-63], and industrial control[MODBUS] communications are implemented under aquery-response model and are therefore effectively half-duplex.
▶ Half-duplex links can be established wirelessly with unpairedfrequencies (same frequency in both directions), or with(twisted-wire / single contact) serial links. These are a typicalscenarios in lightweight time-divide communications, ourspecific targets.
49 / 59
Unambiguous Session Transcripts via Better DomainSeparation
▶ Keccak only has domain separation between data input andhash output.
▶ Keccak-160/256/512 are distinguished from each other viadifferent rates r, not via padding or IV; different hardware fordifferent hash sizes?!
▶ DuplexWrap extended this to domain separation with framebits between key material, payload data, and messageauthentication tag.
▶ Sakura added further frame bits yet again to facilitate treehashing.
We want to have a extensible padding mechanism that allow samehardware to be used for any purpose.Key feature in BLNK: originator bits; whether sponge input is fromAlice, Bob, Both (e.g. DH Secret), or none in particular..
50 / 59
Multiplexing the SpongeWe retain one d-bit word D in Sc for domain separation;Sc = (Sd || Sc′) with c′ = c− d. The iteration for arbitraryabsorption, squeezing, and encryption is now:
Si+1 = π( Sri ⊕Mi || Sd
i ⊕ Di || Sc′i ).
For decryption we have the following update function:
Si+1 = π( Ci || Sdi ⊕ Di || Sc′
i ).
In StriBob / BLNK, d = 8 bits. The actual capacity suffers only bycouple of bits.Even hash and MAC outputs are padded (length padding + domainseparation). This protects against length-extension attacks.
51 / 59
Multiplex ByteDepending on protocol state and the intended usage of messageblock, multiple bits are set simultaneously. From ref/stribob.h:
Bit Mask When set0 BLNK_END 0x01 Full input or output block (r bits)1 BLNK_FIN 0x02 Final block of this domain element2 BLNK_A2B 0x04 Originating from Alice3 BLNK_B2A 0x08 Originating from Bob
4-6 BLNK_DAT 0x00 Bulk data for hashing (in)4-6 BLNK_KEY 0x10 Secret key (in)4-6 BLNK_NPUB 0x20 Public nonce or sequence no (in)4-6 BLNK_NSEC 0x30 Secret nonce or sequence no (i/o)4-6 BLNK_AAD 0x40 Authenticated Associated Data (in)4-6 BLNK_MSG 0x50 Message Payload (i/o)4-6 BLNK_MAC 0x60 Keyed MAC (out)4-6 BLNK_HASH 0x70 Hash (out)7 BLNK_BIT7 0x80 Reserved for future extensions
52 / 59
Example: Authenticated Record Protocol Flow (1)We first absorb and transmit the identities Ia and Ib of Alice andBob into the state. These are not encrypted; S0 is IV.Identifiers Ia and Ib should be random strings of sufficient size (atleast 128 bits).This is an optional step that helps both parties select the correctshared secret K.
(S1,M1) = enc(S0, Ia, 0x44) | A→ B : M1
(S2,M2) = enc(S1, Ib, 0x48) | B→ A : M2
S3 = enc(S2,K, 0x1C) | no transmission
K may be from a lightweight asymmetric key exchange methodsuch as Curve25519 [Bernstein 2006] or derived from passwords.It is never transmitted, but just absorbed in the secret state toproduce S3 from S2.
53 / 59
Example: Authenticated Record Protocol Flow (2)
Two random nonces Ra and Rb are required for challenge-responseauthentication and to make the session unique.
(S4,M3) = enc(S3,Ra, 0x24) | A→ B : M3
(S5,M4) = enc(S4,Rb, 0x28) | B→ A : M4
We may now perform mutual authentication with tags of t bits:
(S6,M5) = enc(S5, 0t, 0x64) | A→ B : M5
(S7,M6) = enc(S6, 0t, 0x68) | B→ A : M6
Checking M5 and M6 completes mutual authentication. By aninductive process we see that the session secret S7 is nowrandomized by both parties and the shared secret is not leaked.
54 / 59
Example: Authenticated Record Protocol Flow (3)
After this, plaintexts Pa (for A→ B) and Pb (for B→ A) can beencrypted, transmitted and authenticated by repeating thefollowing exchange:
(Si+1,Ma) = enc(Si,Pa, 0x54) | A→ B : Ma
(Si+2,Ta) = enc(Si+1, 0t, 0x64) | A→ B : Ta
(Si+3,Mb) = enc(Si+2,Pb, 0x58) | B→ A : Mb
(Si+4,Tb) = enc(Si+3, 0t, 0x68) | B→ A : Tb
Due to explicit padding it is easy to show inductively that the entiremessage flow is authenticated if appropriate checks are made.
55 / 59
Semi-Autonomous Hardware
BLOCK IN
PADDING IN
SEND/RECV IN
BLOCK OUT
CLK IN
RST IN
CLR STATE IN
r r
dLogic and π
ERROR OUT
If we incorporate K management in the comms hardware sessionsecrets never have to leave (and cannot leave) a specific hardwarecomponent and are inaccessible to MCU/CPU app.Such separation is very difficult (and costly) to achieve with SSLand other legacy protocols which generally require CPU/MCUinteraction to create encryption and authentication keys fromsession secrets.
56 / 59
Conclusions on BLNK mode used in STRIBOB▶ Provably secure lightweight record protocols can be built from
a single π permutation. No need for separte PRF, HMAC,Block Cipher, and a mode of operation. Significantly reducesimplementation ROM / Flash footprint.
▶ Working memory required to implement the entire two-wayBLNK protocol is only slightly more than b bits for the state.Legacy protocols require additional storage for two sequencecounters / nonces, authenticators, cipher round keys, etc.
▶ Explicit padding and continuous authentication resolvessynchronization issues and allows straight-forward inductivesecurity proofs based only on a single assumption.
▶ Provable transcripts: final “state hash” proves the integrity ofan entire transaction rather than an individual message.
▶ BLNK is a class of half-duplex security protocols. Well suitedfor IoT, Smart Card, RFID, NFC, and other last-lap security.
57 / 59
CRO of F-Secure, 29 Apr 2014 when StriCat was released.
Download StriCat Source from my web site:http://www.stribob.com/stricat
▶ Portable, self-contained,open source, POSIX compliant,relatively small (couple of thousand lines).
▶ Implementation of secure links over TCP using the BLNKprotocol. Can be used as a secure replacement for netcat.
▶ File encryption and decryption using an authenticatedchunked file format; you can efficiently encrypt a backupstream up to terabytes in size.
▶ Hashing of files and streams. StriCat can also do 256- and512-bit Streebog hashes.
58 / 59
Thank you for yourattention!
More questions?
Finally a small demo iftime and projectorresolution permits.
$ ./stricat -hstricat: STRIBOB / STREEBOG Cryptographic Tool.(c) 2013-4 Markku-Juhani O. Saarinen <[email protected]>. See LICENSE.
stricat [OPTION].. [FILE]..-h This help text-t Quick self-test and version information
Shared secret key (use twice to verify):-q Prompt for key-f <file> Use file as a key-k <key> Specify key on command line
Files:-e Encrypt stdin or files (add .sb1 suffix)-d Decrypt stdin or files (must have .sb1 suffix)-s Hash stdin or files in STRIBOB BNLK mode (optionally keyed)-g GOST R 34.11-2012 unkeyed Streebog hash with 256-bit output-G GOST R 34.11-2012 unkeyed Streebog hash with 512-bit output
Communication via BLNK protocol:-p <port> Specify TCP port (default 48879)-c <host> Connect to a specific host (client)-l Listen to incoming connection (server)
59 / 59